Cyber Incident Victim: Bavarian State Government
Date:
Oct 2023
Location:
Germany
Summary
The Bavarian city of Nürnberg experienced a sustained DDoS attack targeting its public web portal, causing significant service disruption and temporary inaccessibility. Attackers utilized botnets to flood external servers with hundreds of thousands of requests per minute from constantly shifting IP addresses and servers, overwhelming infrastructure while leaving internal city systems and data uncompromised. Municipal experts and service providers implemented countermeasures to restore basic functionality amid ongoing intermittent attacks, characterizing the defense efforts as challenging due to the attackers' rotating infrastructure. Officials confirmed no data breach occurred and explicitly ruled out ransom payments to the perpetrators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 12, 2023, the city of Nürnberg experienced a sustained cyberattack targeting its public-facing internet portal, nuernberg.de. The incident began at approximately 8:30 AM local time when the website became unreachable due to a distributed denial-of-service (DDoS) attack. Attackers utilized botnets to flood the city’s external servers with hundreds of thousands of simultaneous requests per minute, overwhelming system capacity and preventing public access to online services. The city’s IT department and server operator immediately initiated countermeasures, characterizing the attack as originating from constantly shifting IP addresses and servers across multiple geographical locations, complicating attribution efforts. By the afternoon of the same day, partial service restoration occurred, though officials warned of potential intermittent disruptions due to ongoing attacks. Municipal data systems and internal administrative IT infrastructure remained unaffected throughout the incident.
The attack persisted beyond initial containment efforts, with attackers continuously deploying new servers to launch repeated DDoS attempts against the portal. City spokespersons described defense operations as "Sisyphean work," requiring real-time mitigation of evolving attack vectors aimed solely at causing service disruption rather than data exfiltration. Technical teams maintained server stability through sustained countermeasures despite persistent bombardment. Officials publicly ruled out any ransom demands or extortion attempts associated with the incident, explicitly stating the city would not pay cybercriminals under any circumstances. Service availability fluctuated during response operations, with systems functioning "reasonably stable" by midday though remaining vulnerable to new attack waves. The city maintained public communications through press releases and media statements while continuing collaborative defense efforts with technical partners to neutralize the attacks.